SSH access to switches

jesse.garcia11 · ‎04-17-2023

Hi Everyone, I am having trouble getting our switches to accespt ssh connections, or any remote access, based off of mac addresses. Currently we have extended acl set that limits IP address access. The only thing with this is that we have to remote into our desktops just to access site switches, even when we are onsite. So I was looking up how to create acl based on mac address, rather than IP since each site has a different subnet. I could not find any documentation on this. Does this mean it is not possible? If you can point me in the right direction I would appreciate it. Thank You.

MHM Cisco World · ‎04-17-2023

what MAC address give you add to IP ?

jesse.garcia11 · ‎04-17-2023

I dont understand your question sir.

MHM Cisco World · ‎04-17-2023

Why you looking for mac acl, what make IP acl not suitable for you? Can you more elaborate.

Thanks

MHM

jesse.garcia11 · ‎04-17-2023

Oh thank you @MHM Cisco World . I can static my desktop easily. as it is not mobile. But I cannot static my Laptop ipv4 address. We have 7 sites all with different subnets for WIFI. If I did static the laptop, I would not have access to other sites as the Core Router at each site will only see its assigned subnet. IE if I static to one school subnet, I will not be routable at another school since it does not recognize the address. This is how it was created long before our department received laptops. Does that make sense? Do you know of any other way to secure access for the laptop>?

MHM Cisco World · ‎04-17-2023

Mac acl in your network not help you'

The IP will preserve same all patg except case there is NATing

Mac add is change from one l3 to other. So mac acl is not right solution.

What I think is using l2tp and connect to edge router via public ip and then use l2tp private ip for ssh to sw's, this private IP is always use and can use in ACL.

ahollifield · ‎04-17-2023

Are you looking for a dynamic VTY ACL? A remote switch would not know a remote MAC address, it would only be aware of the IP.

jesse.garcia11 · ‎04-17-2023

Thank You @ahollifield . Would you have any other recommendations as to how to enable secure access for our laptop to SSH into the switches?

ahollifield · ‎04-17-2023

TACACS+ with MFA? And a VTY ACL containing only trusted management VLANs?

jesse.garcia11 · ‎04-17-2023

Thank You very much. I will be looking into this

Christopher Bell · ‎04-18-2023

If you have the option of using a jumpbox, you can limit the ACL on your mgmt vlan or mgmt interface to this IP and maybe a fallback subnet or IP just in case your jump box is down.

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.

Dustin Anderson · ‎04-17-2023

We have similar and went as ahollifield suggested and made admin vlans and just have them in the ACL. We only have 2 sites that admins are at and remotely we just use a console cable, but can be done either way. A bit of work making admin vlans and rules to put you on them, but once it's set up will be a lot easier in the long run.